User Account

All Pages

Briefly describe the windows native api

Assignment Help Assembly Language
Reference no: EM132572924 , Length: 6 pages

Discussion

This week's discussion will focus on the Win32 API that is discussed in more depth in Chapter 7. Each student will be assigned a Win32 function to research on the MSDN library and share their findings. Explain the functions usage, return type, parameters, parameter data types, and a potential real-world scenario where malware may make use of this function. Which dll contains the function's definition? Also, provide a code snippet in either C or assembly as an example of the function's usage. If MSDN provides a code example, don't just blatantly copy the code. That tells me nothing other than you know how to copy and paste. Demonstrate that you understand how to read a function's documentation and usage. If you are super motivated, provide both high level source code and assembly code!

As an example, I attached a copy of my analysis on the CreateFile() API Function.

You can pick your own function to discuss from the below list. If there is another function you read about that's not on the list, then you can discuss that function instead. Lets try to avoid duplicates, but I know this is difficult to deconflict so no worries if we have a function collision. I do not need an exhaustive list of all the potential constants for each parameter. Nor do I want a copy and paste from the MSDN documentation. I can read the documentation myself, there is no need to reproduce it. Instead focus on what you think is important. If your analysis is longer than mine, then you did too much work! Typically, the first hit from a google search will bring you to the correct MSDN documentation.

Part 1 - Diffuse the Bomb

The part 1 lab exercise is based on material covered in chapters 4, 5, and 6.

There is a bomb on your system! Your reverse engineering skills are required to diffuse the bomb and save countless bits. Load bomb.exe into IDA to discover the keys to diffuse the bomb. You can attempt each stage as many times as needed. All stages must be completed in order. Do not tamper with the bomb's binary, as it may invoke an accidental discharge. Only use static code analysis via IDA to find the keys.

There are five stages to diffuse. For each stage, record the key and provide a summary of the code construct or algorithm used for the key. In other words, did the bomb test for the stage's key using an if-statement, switch, loop, or some other variation? You should include screenshots from your IDA display to show where you discovered the key.

If you are stuck at a stage and wish to attempt later stages, ask your chief binary explosive ordnance disposal officer (your instructor) for that stage's key. However, you will not receive credit for solving that stage.

There is a bonus stage unlocked after the bomb is diffused. You may wish to attempt that stage for bragging rights. There is also an optional secret stage that you must unlock before it can be attempted. Your instructor may grant extra credit for unlocking and solving the secret stage.

1. Stage 1.
a. Key:
b. Briefly describe how you found the key.

2. Stage 2.
a. Key:
b. Briefly describe how you found the key.

3. Stage 3.
There are several possible keys for this stage. For full credit, provide all possible keys.
a. Key:
b. Briefly describe how you found the key.

4. Stage 4.
a. Key:
b. Briefly describe how you found the key.

5. Stage 5.
a. Key:
b. Briefly describe how you found the key.

6. Bonus Stage.
a. Key:
b. Briefly describe how you found the key.

7. Which compiler do you suspect was used to build this bomb? What is your evidence?

Part 2 - Analyzing Windows Programs

1) What is a handle in the Windows OS?

2) NTFS Alternate data streams (ADS) are sometimes used to stage malware or hide information. Create an ADS in the Lab3 folder that stores the message "Norwich Forever". Show a screenshot of dir and dir /R to validate your ADS.

3) List and briefly describe the five Windows Registry Root Keys.

4) Describe what the following code segment is doing. Which function is being called? From what is provided, what are the values (or locations) of the function's parameters. Why would malware contain such code?

5) Analyze the following source code. What is the purpose of the WSAStartup() function? Explain what kind of socket is being created by examining the parameters.

6) What are COM objects, and how are they accessed?

7) Briefly explain the following code.

8) Briefly describe the Windows Native API. Which dll contains Native API functions? How can you easily recognize a Native API call when analyzing function calls?

For the following questions, analyze the sample Lab3.exe.

9) Document the basic static file information.

10) Using IDA, analyze the sample. Your analysis must contain considerable depth to explain the program's mechanics and convey comprehension of the concepts. Include some relevant screenshots from IDA that contain interesting information. Analysis of some of the malware's functionality is provided below for you as an example. The provided analysis will help you determine the program's overall intent. Your analysis should cover:

a. Persistence mechanisms (registry, services, functions used, etc).
b. Mutex information (name of mutex, purpose of mutex, functions used, etc).
c. Any thread information (functions used to create thread, thread StartAddress information, number of threads created, etc.)
d. Networking information (Domains, protocols, functions used, etc.).
e. Conclusions. What do you suppose is the malware's overall intent?How would you classify this malware (ransomware, worm, adware, logic bomb, etc)? Can you recommend a way to remove the malware's persistence (HINT: sc command-line program).

Attachment:- Discussion.rar

Reference no: EM132572924

Questions Cloud

How many tubs of gelato must the store sell per week : The fixed costs per week are $1350. How many tubs of gelato must the store sell per week in order to break even
Analyze role of social worker in helping to plan end of life : Analyzes the role of the social worker in helping to plan end-of-life care. Include possible consideration of palliative care, euthanasia, hospice care.
Compute company predetermined overhead rate : Compute the company's predetermined overhead rate for the year and the amount of underapplied or overapplied overhead for the year.
What edmund morgan called the american paradox : What Edmund Morgan called the American Paradox vis-à-vis not only African Americans, but also Native Americans and other nonwhites?
Briefly describe the windows native api : Briefly describe the Windows Native API. Which dll contains Native API functions? How can you easily recognize a Native API call when analyzing function calls
Describe two things learned from the invisible war film : Describe TWO things you learned from the Invisible War film that you did not previously know about sexual assault in the U.S. military.
Different types of signaling systems to human body : Further discuss what common features are shared by most cell signaling systems.
Products of anaerobic respiration remain unchanged : You have been working in a biochemistry lab and have discovered a drug that allows anaerobic cellular respiration to proceed
Describe the theory of knowledge called skepticism : Describe the theory of knowledge called skepticism. Consider the skeptic's charge that we can never be confident about the reliability of our normal sources

Reviews

Write a Review

Assembly Language Questions & Answers

  Create a assembly language subroutine

Create a assembly language subroutine MULSUM that takes an array named A containing n bytes of positive numbers, and fills two arrays, array B containing n words and array C containing n long words

  Write a function in linux assembly

Write a function in Linux assembly

  Analog measurements

Prepare an assembly program for the correctly measures the wind direction

  Design a simple digital clock

Design a simple digital clock

  Write an assembly program

Prepare an Assembly program that reads in a number of cents.

  Write an assembly language program

Write an assembly language program for encrypting alphabates of a string

  Greatest common divisor of integers-masm assembly language

Must be done in MASM assembly language: Greatest common divisor of two integers is largest integer which will evenly divide both integers. GCD algorithm involves integer division in a loop.

  Write assembly program-find right admission price to movie

Write the Assembly program to find correct admission price to movie. Price of admission to a movie is $7 for kids (under 12) and $9 for adults.

  Create simple 8-bit alu using add-subtract-shift functions

Create a simple 8-bit ALU. Requirements:The eight functions that you will implement are: add, subtract, and, or, shift left logical, less than, shift right logical.

  Write assembly program print binary representation-integers

Write the assembly program called hw6_ex1, stored in file hw6_ex1.asm. This program must prompt user to enter signed 32-bit integer. Program must print out binary representation of the integer.

  Allot op-codes and add microcode to microprogram

Allot op-codes and add microcode to microprogram of Mic-1 to implement following instructions which are then included with IJVM instruction set.

  Write mips assembly program to read two non-negative numbers

Write MIPS assembly program to repeatedly read two non-negative integers and print integer product and quotient without using multiplication and division instructions.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd